A malicious npm package called “solders” uses more than half a dozen layers of obfuscation in a convoluted, multistage attack to spread Pulsar RAT,
Veracode researchers reported Monday.
The attack begins with a postinstall hook that runs the file lib.js as soon as the package is installed, not requiring further user interaction.
1. Obfuscation using Japanese Unicode characters
This lib.js file appears to be a random jumble of Japanese Katakana and Hiragana characters separated by commas but is actually functional JavaScript code hidden using a unique obfuscation technique.
The Japanese Unicode characters serve as variables assigned to other characters within strings in the code. Rather than hardcoding these strings, the code uses JavaScript’s type coercion to construct them (ex. “.” + {} becomes the string “.[object Object]”).
The code ultimately reconstructs, from these Japanese symbols, a reference to the Function constructor, which is then used to create the String.fromCharCode function (also obfuscated as a Japanese character).
This function assembles the next step, which calls the Function constructor again to create a custom join method that joins a long array of Japanese characters into a single deobfuscated string, which is the next stage payload.
2. Additional hex encoding and array shuffling
The payload decoded from Japanese characters was still obfuscated using hexadecimal encoding and array shuffling, which was much simpler to solve, the researchers noted.
Hex encoding uses the base-16 hex codes of characters rather than the plain characters themselves to obfuscate strings. The arrays in the code were also presented out of order and reshuffled into the correct order at runtime.
This payload ultimately runs a PowerShell command that retrieves additional content from an external URL.
3. Binary array encoding
The retrieved content was obfuscated using another separate technique, where a custom function yclf converts an array of binary strings into their corresponding ASCII characters. The binary array is ultimately reconstructed into an additional PowerShell script.
4. Base64 encoding
The strings in the decoded PowerShell script are further encoded using Base64. When decoded, this script attempts to make additions to the Windows Defender exclusion list and downloads a batch file from another external URL.
5. Reordering strings via environment variables
The batch script assembles the next stage of the attack using repetitive code that assigns strings to seemingly random environment variable names and then retrieves the strings from these environment variables in a predetermined order. The result is a compressed .NET dynamic link library (DLL).
6. 3DES encryption
The .NET DLL is both Base64 encoded and encrypted using triple Data Encryption Standard (3DES) encryption, which applies the DES cipher algorithm three times for each data block. The DLL is also compressed using gzip.
7. Image steganography
The .NET DLL is loaded into memory and executed to retrieve another file, a PNG image, from yet another external URL. Here, the attackers use steganography, a method of hiding data within another seemingly benign piece of digital content, to conceal an additional .NET DLL within the pixels of the image.
This .NET DLL contains the final payload, the open-source Pulsar Remote Administration Tool (RAT), which would give the attacker remote control over the victim’s Windows machine.
Veracode reported the malicious package to npm – as of Monday afternoon, the package was still available on the npm repository. The package was first published around May 26, 2025, and has about 320 weekly downloads.
The package was published by a user named codewizguru, who has also published another malicious package called @mediawave/lib, Veracode noted.
